Engagement Methodology

In a CTF, the goal is the flag. In an engagement, the goal is to assess the security posture of the environment and communicate risk to the client. That’s a fundamentally different objective, and it requires a methodology — not just a sequence of attacks.

Professional pentesters work within established frameworks. The most common are PTES (Penetration Testing Execution Standard), OWASP (for web applications), and OSSTMM. These aren’t checklists to follow blindly — they’re structures that ensure comprehensive coverage and consistent quality.

A methodology does three things for you:

Coverage: It ensures you don’t skip phases. Beginners jump straight to exploitation. A methodology reminds you to enumerate thoroughly before exploiting, and to document as you go.

Defensibility: When the client asks “how did you approach this?” you can point to a recognized framework. This is especially important if a finding is disputed.

Efficiency: A structured approach prevents wasted time. You know what to do next without stopping to think about it.

For the Navigating Security Corp engagement, TadiSec follows PTES with phases adapted for an internal AD assessment: intelligence gathering, vulnerability analysis, exploitation, post-exploitation (lateral movement and privilege escalation), and reporting.

On the right, categorize ten activities from the Navigating Security Corp engagement into their correct methodology phases.